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(54) Method and device to communicate with a device not belonging to the same virtual private 
network 



(57) The invention relates notably to a method for 
enabling a user registered in an Network Access Server 
as already connected to a Virtual Private Network to 
communicate with at least a communication device not 
belonging to the Virtual Private Network. The Network 
Access Server enables access over a data communica- 
tion network to the communication device as well as to 



a plurality of Virtual Private Networks. 

According to the invention, the method consists in 
sending messages belonging to a communication be- 
tween the user and the communication device over a 
logical channel between the Network Access Server 
and the communication device, where the logical chan- 
nel refers to an identifier of the Virtual Private Network. 
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Description 

[0001] The present invention relates to data commu- 
nication systems and more particularly to an access 
method implemented in a network access server for en- 
abling end-users to access the core network. 
[0002] The framework of this invention concerns the 
way individuals and companies are given access to in- 
terconnected data communication networks. Intercon- 
nected data communication networks consist for exam- 
ple of the public Internet and of a plurality of virtual pri- 
vate networks (VPN) operated by third parties. These 
third party VPNs may be corporate intranets to which 
external access is severely controlled, for example, by 
firewalls. External access to a third party VPN has how- 
ever to be permitted for example for employees on travel 
to be able to access the corporate intranet by means of 
lap tops wherever they are located or for home-working. 
This kind of external accesses to third party VPNs are 
usually provided by an access service provider owning 
a Network Access Server (NAS). 
[0003] Several value-added services, proposed by 
access service providers, require that an end-user, 
while being connected to one third party VPN over a 
NAS, can simultaneously access to a local service net- 
work, called local VPN, associated to the NAS and usu- 
ally operated by the access service provider, without dis- 
connecting from the third party VPN. 
[0004] An issue related to this kind of simultaneous 
access is due to addressing schemes. Heterogeneous 
interconnected networks are harmonized by all support- 
ing the internet protocol IP or any of its variations. Usu- 
ally and because of the restricted number of IP address- 
es available for an access service provider, the NAS us- 
es overlapping address pools for different VPNs. As a 
consequence, two users connected to two different third 
party VPNs over the same NAS may have been attrib- 
uted the same IP address. Thanks to the (P address and 
the identity of the VPN from which a message has been 
sent, the NAS can univocally distinguish the two users 
having the same IP address. 

[0005] This becomes a problem if one of these users 
wants to be simultaneously connected to one identical 
further communication device without releasing the con- 
nection to its corresponding third party VPN. Such a 
communication device may be a server belonging to a 
VPN, called local VPN, associated to the NAS and 
owned by the access service provider. In that case, the 
NAS is no more able to distinguish them since both have 
the same IP address and get messages from the same 
local VPN. 

[0006] A common method for solving this problem 
consists in introducing a network address translation 
(NAT) in the NAS. In this approach, the IP address of 
the user is translated in the NAS itself, such that f orcom- 
munication towards servers of the local VPN, each user 
appears to have a unique IP address. This approach has 
a number of important drawbacks: first of all it puts a 



heavy load on the NAS, since each IP packet flowing 
between the user and the local VPN has to be translated 
and as a consequence to be modified . Recent variations 
of the IP protocol, such as IPsec, rely on the fact that 
5 packets should not be altered between the endpoints, 
while NAT does alter them. As a consequence, this so- 
lution imposes some restrictions on the protocols that 
can be used, and hence on the services that can be of- 
fered. 

10 [0007] A another method of solving this problem con- 
sists in allocating multiple IP addresses to the user. De- 
pending on whether an given application is associated 
with a third party VPN or with the services in the local 
VPN, the application will use a different IP address to 
15 send its packets. This solution assumes that there is a 
well-controlled mechanism to specify for each applica- 
tion which IP address it has to use at a given point in 
time. This is extremely difficult to guarantee in case the 
same application is used to access subsequently serv- 
ices in different VPNs, e.g. if the user is browsing from 
a URL in VPN 1 to a URL in VPN 2. In other words, the 
solution is extremely complex to realize, since typically 
the access service provider has no control over the ap- 
plications and protocol stacks running on the user ter- 
minal. 

[0008] A particular object of the present invention is 
to provide a method that remains transparent for the 
end-user since none of them need to care about mech- 
anism for distinguishing between several IP addresses. 
[0009] Another object of the invention is to provide a 
method that does not too much overload the NAS. 
[0010] These objects, and others that appear below, 
are achieved by a method for enabling a user registered 
in an NAS as already connected to a VPN, called host 
VPN, to communicate with at least a communication de- 
vice not belonging to the host VPN, the NAS having ac- 
cess over a data communication network to the commu- 
nication device and to a plurality of VPNs. The method 
comprises a step of sending messages belonging to a 
communication between the user and the communica- 
tion device over a logical channel between the NAS and 
the communication device, the logical channel referring 
to an identifier of the host VPN. 
[0011] This method has the advantage that rt does not 
require IP packet alteration. 

[0012] The present invention also concerns a Net- 
work Access Server according to claims 8 and 9. 
[0013] Other characteristics and advantages of the in- 
vention will appear on reading the following description 
of a preferred implementation given by way of non-lim- 
iting illustrations, and from the accompanying drawings, 
in which: 

Figure 1 shows a physical architecture of intercon- 
nected data communication networks where the 
present invention can be applied; 
Figure 2 shows an embodiment of a NAS according 
to the present invention. 
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[0014] Figure 1 shows a physical architecture of inter- 
connected data communication networks comprising 
several VPNs 151, 152, 153 and access networks 121, 
122 interconnected though a core network 14, for ex- 
ample the public Internet or leased lines. 
[0015] End-users 111 114 are connected over ac- 
cess networks 121, 122 to NASs 131, 132. NASs 131, 
132 enable the access of end-users 111 , 114 to the 
core network 1 4 and to the interconnected data commu- 
nication networks 151, 153. Some servers 161, .... 
164 belonging to the different VPN 151, 153 are rep- 
resented on the figure by way of example. Servers 161 
and 162 belongs to VPN 151, server 163 to VPN 152 
and server 1 64 to VPN 1 53. These servers contain VPN 
specific information and preferably support features like 
authentication or authorization. 
[0016] VPN 151 plays a privileged role in that it is pref- 
erably associated to NAS 131 and called local VPN in 
the following. For example, the NAS as well as the local 
VPN are owned by a single access service provider. 
This is however not a requirement of the invention. VPN 
1 52 and 1 53 are preferably third party VPN for example 
corporate intranets. 

[001 7] Local VPN 1 51 may be interconnected to core 
network 14 as represented on the figure. Alternatively, 
local VPN 151 can also be directly connected to NAS 

131. Several different NAS 131, 132 can be associated 
to the same local VPN 151. 

[0018] Access networks 121 and 122 may be usual 
telephone networks like PSTN or ISDN or cable net- 
works as well as radio networks. 
[0019] If access networks 131, 132 are usual tele- 
phone networks, NASs 131, 132 comprise analog mo- 
dems to terminate PSTN analog connections. In case 
of an ISDN digital connection, the signal need not to be 
demodulated. NASs 131, 132 also comprise a router 
function and a gateway to the core network. 
[0020] In the description below, an example will be 
used to illustrate the invention. In this example, it is as- 
sumed that user 111 communicates with server 163 be- 
longing to VPN 152. This communication takes place 
over NAS 131 . It is also assumed that user 112 commu- 
nicates with server 164 belonging to VPN 153. This 
communication also takes place over NAS 131. Prefer- 
ably, we consider a situation where a connection is cur- 
rently established between user 111 and VPN 152 as 
well as between user 1 12 and VPN 1 53. These connec- 
tions are preferably realized as PPP (Point to Point Pro- 
tocol) connections between users 111 , respectively 112, 
and NAS 1 31 , respectively 1 32, in combination with ap- 
propriate routing table settings in NAS 131 , respectively 

132. Any other type of connections usually used in an 
access network may also be considered. 

[0021] During connection set up, an IP address is al- 
located to the user requiring the connection and for the 
connection duration. During the connection set up, each 
user 111, 112 also indicates to the NAS 131 to which 
VPN it wants to connect. 



[0022] As NAS 131 usually has a limited pool of IP 
addresses at its disposal, a single IP may be allocated 
to different users connected at the same time to NAS 
1 31 on the condition that the users want to be connected 

s to different VPN. To this extend, the IP address alone 
does not univocally identifies the user. As a conse- 
quence, only the association of the VPN to which a user 
is connected and its IP address univocally identify the 
user at the NAS. in this example, it is assumed that user 

to 111 and user 112 are allocated the same IP address by 
the NAS 131 during the connection setup. This complies 
with the above remark since both want to connect to dif- 
ferent VPNs. 

[0023] During connection setup, NAS 131 fills in a ta- 
15 bie comprising information related to connections to be 
established between users 111, 112 attached to NAS 
131 and VPNs 152, 153. This information is held in the 
table for the whole duration of a connection. An entry of 
this table comprises preferrably a user identification 
20 specific to access network 121 (e.g. a calling number), 
the IP address allocated to that user and a VPN identifier 
indicating to which VPN that user is currently connected. 
[0024] Assumed that in parallel to the already estab- 
lished connections, user 111 want to communicate si- 
25 multaneously with server 161 located in local VPN 151 
without releasing its connection to VPN 1 52. A message 
destined to server 161 comprising the source address 
of user111 as well as the destination IP address of serv- 
er 161 is sent to NAS 131. NAS 131 detects that, al- 
so though user 111 is already connected to VPN 152, the 
message containing the destination IP address of server 
161 should be directed toward VPN 151. 
[0025] Assumed that server 161 were to answer to 
this message with an answer message directed to user 
35 m , it would build an IP message containing as desti- 
nation address the IP address of user 111 found in the 
received message. Upon reception of this answer mes- 
sage the NAS 131 will not be able to identify univocally 
that this answer message is destined to user 111 since 
40 user 112 also has the same IP address. 

[0026] According to the invention, as soon as NAS 
131 detects that a message is destined to a server 161 
not belonging to the VPN 152 to which user 111 is reg- 
istered as already connected, the message is directed 
45 on a logical channel having, as logical channel identifier, 
the identifier of VPN 1 52 to which user 1 1 1 is registered 
as already connected. 

[0027] The principle of logical channels as such are 
generally known by those skilled in the art and are real- 

so ized by means of several techniques. 

[0028] The realization of logical channel between the 
NAS 131 and VPN 151 may be, for example, done by 
means of encapsulation. The NAS 131 should encap- 
sulate each message destined to server 1 61 in a packet 

55 the header part of which containing an identifier of the 
VPN to which the user 1 1 1 is registered as already con- 
nected. A particular form of encapsulation, called tun- 
neling, may also be used. One principle of tunneling is 
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to encapsulate a protocol data corresponding to a cer- 
tain layer in the OSI communication model in another 
protocol data corresponding to the same layer In the OSI 
communication model. This is advantageous in hetero- 
geneous networks for privacy and security matters. 5 
[0029] In case server 1 61 has to answer to a message 
sent by user 111 and received over a logical channel 
having an identifier of VPN 1 52 as logical channel iden- 
tifier, server 161 sends back the answer message over 
the same logical channel. Upon reception of the answer 10 
message at the N AS 1 31 , the latter identifies the logical 
channel identifier of the logical channel on which the 
message has been received and extracts the message 
from the logical channel. NAS 131 can univocally iden- 
tify to which user the answer message is destined since * 5 
it has access to the IP address contained in the answer 
message as well as to the identifier of the VPN to which 
the user is already connected. With this couple of infor- 
mation the NAS is able to identify univocally user 111 . 
[0030] An advantage of this method is that it is trans- 20 
parent for the end-users. 

[0031] Figure 2 shows an embodiment of a NAS ac- 
cording to the present invention. The NAS 20 comprises 
a forwarding engine 21 , a logical channel controller 22, 
a routing part 23 and a table 24. NAS 20 comprises also *5 
three interfaces. A first interface 201 to access network 
and users, a second interface 202 to a local VPN (local 
VPN 151 shown on figure 1) and a third interface 203 to 
third party VPNs (VPN 1 52 and 1 53 shown on figure 1 ). 
[0032] First interface 201 Is connected to forwarding 30 
engine 21 which is in turn connected to logical channel 
controller 22 as well as to routing part 23. Logical chan- 
nel controller 22 is connected to second interface 202 
and routing part is connected to third interface 203. Log- 
ical channel controller 22 as well as routing part 23 can 35 
access to table 24. Table 24 is a database comprising 
entries registering the already established connections 
between a user, and an third party VPN. Each entry 
comprises an identification of the user specific to the ac- 
cess network to which this user is connected, the IP ad- <o 
dress of this user and an identifier of the third party VPN 
to which the user is connected. Other information may 
also be available in each entry. 
[0033] Upon reception of a message on the first inter- 
face 200, forwarding engine 21 checks if this message 4* 
is destined to the local VPN or to a third party VPN to 
which the user is already connected. This check is done 
by analyzing the destination IP address contained in the 
message. 

[0034] If the message is destined to a third Party VPN. so 
The message is transparently conveyed to routing part 

23 and sent over third interface 202. 

[0035] If the message is destined to the local VPN, 
the message is transmitted to logical channel controller 
22. Logical channel controller 22 checks the source IP 55 
address contained in the message and searches in table 

24 if this user is already connected to a third party VPN. 
If this is the case, it extracts the third party VPN identifier 



to which the user is already connected. Logical channel 
controller 22 then directs the message on a logical chan- 
nel having as logical channel identifier the third party 
VPN identifier or any identifier univocally derived there- 
of. If the user is not connected to any VPN, a default 
reserved logical channel identifier is used to send the 
message to the local VPN. 

[0036] Upon reception of a message on the second 
interface 201 , logical channel controller 22 is responsi- 
ble of finding to which VPN, if any, the user to which this 
message is destined is already connected to. For this 
purpose, logical channel controller 22 extracts the logi- 
cal channel identifier of the channel on which the mes- 
sage has been received over interface 202. The VPN 
identifier may be identical to the logical channel identi- 
fier or univocally deduced thereof by means of an asso- 
ciation table not represented on figure 2. 
[0037] Logical channel controller 22 also extracts the 
destination IP address contained In the message. Then, 
logical channel controller 22 searches in table 24 the 
user corresponding to the IP address and the VPN iden- 
tifier. This identifies univocally the user to which the 
message has to be transmitted. The message is then 
transmitted to forwarding engine 21 which sends the 
message on the first interface 200 to the identified user. 
[0038] Alternatively to the embodiment described 
above, table 24 may not be contained in NAS 20. Table 
24 may be stand alone and accessible by NAS 20 but 
also by other modules located out of the NAS, in partic- 
ular modules residing on a server in the local VPN. Table 
24 may also be shared by different NASes, 
[0039] In another embodiment of the invention, it can 
be envisaged that two separate NASes treat separately 
the reception of a message on the first interface 200 and 
the reception of a message on the second interface 201 . 



Claims 

1. Method for enabling a user (111) registered In an 
Network Access Server (1 31 ) as already connected 
to a Virtual Private Network (1 52), called host Virtual 
Private Network, to communicate with at least one 
communication device (161) outside of said host 
Virtual Private Network (152), said Network Access 
Server (131) having access over a data communi- 
cation network (1 4, 1 51 ) to said communication de- 
vice (161 ) and to a plurality of Virtual Private Net- 
works (151 , 152, 153) comprising said host Virtual 
Private Network, said method being characterized 
f n that it comprises a step of sending messages be- 
longing to a communication between said user (111) 
and said communication device (1 61 ) over a logical 
channel between said Network Access Server (1 31 ) 
and said communication device (161), said logical 
channel referring to an identifier of said host Virtual 
Private Network (152). 
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2. Method according to claim 1 , characterized in that 
it further comprises the steps of: 

detecting at said Network Access Server (131) 
a message from said user (111) destined to said 
communication device (161); and 
forwarding said message from said Network 
Access Server (131 ) to said communication de- 
vice (161) over the iogica) channel referring to 
the identifier of said Virtual Private Network 
(152). 

3. Method according to claim 1 , characterized In that 

it further comprises the steps of; 

detecting a message from said communication 
device (161) being received at said Network 
Access Server (131 ) on the logical channel re- 
ferring to the identifier of a Virtual Private Net- 
work (152), said message containing a user 
destination address; 
- determining a user (111) registered in said Net- 
work Access Server (131) as already connect- 
ed to said Virtual Private Network (152) and 
corresponding to said destination address; and 
forwarding said message from said Network 
Access Server (131) to said user (111). 

4. Method according to any of claims 1 to 3, charac- 
terized In that said messages belonging to the 
communication between said user (111) and said 
communication device (161) are encapsulated in 
data packets, said data packets comprising a field 
containing said identifier of said host Virtual Private 
Network (152) or an indication derived of said iden- 
tifier 

5. Method according to claim 4, characterized In that 
said messages belonging to the communication be- 
tween said user (111) and said communication de- 
vice (161) are sent over a tunnel having said iden- 
tifier of said host Virtual Private Network (152) as 
tunnel identifier. 

6. Method according to any of claims 1 to 5, charac- 
terized in that said messages are consisting of IP 
packets comprising an IP address of said user 
(111). 

7. Method according to claim 1 , characterized in that 

said communication device (161) is a server be- 
longing to a Virtual Private Network (151), called lo- 
cal Virtual Private Network, associated to said Net- 
work Access Server (131) and different from said 
host Virtual Private Network. 

8. Network Access Server (20) for enabling a commu- 
nication between a user and a communication de- 
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vice, said user being registered in said Network Ac- 
cess Server as already connected to a Virtual Pri- 
vate Network, called host Virtual Private Network, 
said communication device being outside of said 

5 host Virtual Private Network, said Network Access 
Server being able to access to a database associ- 
ating an identifier of said user to an identifier of said 
host Virtual Private Network, said Network Access 
Server being characterized in that it further com- 

10 prises means for sending messages originating 
from said user and destined to said communication 
device on a logical channel between said Network 
Access Server and said communication device, 
said logical channel referring to said identifier of 

1$ said host Virtual Private Network. 

9. Network Access Server (20) for univocally retriev- 
ing a user, out of a plurality of users, to which a mes- 
sage sent by a communication device and received 

20 at said Network Access Server is destined, said us- 
er being already connected over said Network ac- 
cess server to a Virtual Private Network not com- 
prising said communication device, said Network 
Access Server being able to access to a database 

25 (24) associating an identifier of said user to an iden- 
tifier of said Virtual Private Network to which said 
user Is already connected, said Network Access 
Server being characterized in that it comprises 

30 - a logical channel controller (22) for determining 
a logical channel identifier of one logical chan- 
nel on which said message is received at said 
Network Access server; 
means for retrieving the userto which said mes- 
35 sage is destined, according to said logical 
channel identifier and said user entry in said da- 
tabase. 
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